diff --git a/xen.spec b/xen.spec
index 9b0c237..6458986 100644
--- a/xen.spec
+++ b/xen.spec
@@ -58,7 +58,7 @@
 Summary: Xen is a virtual machine monitor
 Name:    xen
 Version: 4.15.1
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: GPLv2+ and LGPLv2+ and BSD
 URL:     http://xen.org/
 Source0: https://downloads.xenproject.org/release/xen/%{version}/xen-%{version}.tar.gz
@@ -113,6 +113,7 @@ Patch41: xen.gcc9.fixes.patch
 Patch42: xen.gcc10.fixes.patch
 Patch43: xen.gcc11.fixes.patch
 Patch44: xen.ocaml.4.12.fixes.patch
+Patch45: xsa386.patch
 
 
 %if %build_qemutrad
@@ -322,6 +323,7 @@ manage Xen virtual machines.
 %patch42 -p1
 %patch43 -p1
 %patch44 -p1
+%patch45 -p1
 
 # qemu-xen-traditional patches
 pushd tools/qemu-xen-traditional
@@ -917,6 +919,9 @@ fi
 %endif
 
 %changelog
+* Sun Sep 12 2021 Michael Young <m.a.young@durham.ac.uk> - 4.15.1-2
+- PCI devices with RMRRs not deassigned correctly [XSA-386, CVE-2021-28702]
+
 * Sun Sep 12 2021 Michael Young <m.a.young@durham.ac.uk> - 4.15.1-1
 - update to xen-4.15.1
   remove or adjust patches now included or superceded upstream
diff --git a/xsa386.patch b/xsa386.patch
new file mode 100644
index 0000000..83f24d3
--- /dev/null
+++ b/xsa386.patch
@@ -0,0 +1,29 @@
+From: Jan Beulich <jbeulich@suse.com>
+Subject: VT-d: fix deassign of device with RMRR
+Date: Fri, 1 Oct 2021 15:05:42 +0200
+
+Ignoring a specific error code here was not meant to short circuit
+deassign to _just_ the unmapping of RMRRs. This bug was previously
+hidden by the bogus (potentially indefinite) looping in
+pci_release_devices(), until f591755823a7 ("IOMMU/PCI: don't let domain
+cleanup continue when device de-assignment failed") fixed that loop.
+
+This is CVE-2021-28702 / XSA-386.
+
+Fixes: 8b99f4400b69 ("VT-d: fix RMRR related error handling")
+Reported-by: Ivan Kardykov <kardykov@tabit.pro>
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Tested-by: Ivan Kardykov <kardykov@tabit.pro>
+
+--- a/xen/drivers/passthrough/vtd/iommu.c
++++ b/xen/drivers/passthrough/vtd/iommu.c
+@@ -2409,7 +2409,7 @@ static int reassign_device_ownership(
+                 ret = iommu_identity_mapping(source, p2m_access_x,
+                                              rmrr->base_address,
+                                              rmrr->end_address, 0);
+-                if ( ret != -ENOENT )
++                if ( ret && ret != -ENOENT )
+                     return ret;
+             }
+     }
+